We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
漏洞产生原因详情请见XSS导致客户端RCE,仅通过黑名单的方式进行过滤是无法保证安全性的,更换Payload如下
![a]("<img src=xss onerror=alert(1)>)
之后还可以进行命令执行
The text was updated successfully, but these errors were encountered:
仅通过黑名单的方式进行过滤是无法保证安全性的
大佬有什么建议吗?
Sorry, something went wrong.
仅通过黑名单的方式进行过滤是无法保证安全性的 大佬有什么建议吗?
XSS主要是对输入进行处理,可以参考一些类似于DOMPurify的框架,命令执行的问题可以升级electron或者配置一下electron的nodeIntegration
仅通过黑名单的方式进行过滤是无法保证安全性的 大佬有什么建议吗? XSS主要是对输入进行处理,可以参考一些类似于DOMPurify的框架,命令执行的问题可以升级electron或者配置一下electron的nodeIntegration
感谢指导啊,我们继续改进一下对 HTML 属性的过滤处理,实现代码见 https://github.com/88250/lute/blob/master/render/sanitizer.go
🐛 Protyle XSS 导致客户端 RCE 2 siyuan-note/siyuan#3444
5fc26dd
88250
Vanessa219
No branches or pull requests
描述问题 Describe the problem
漏洞产生原因详情请见XSS导致客户端RCE,仅通过黑名单的方式进行过滤是无法保证安全性的,更换Payload如下
之后还可以进行命令执行
版本环境 Version environment
The text was updated successfully, but these errors were encountered: